Context
I have a server setup which looks like this:
- An Apache server is listening for
example.com;
- Public port
80 is redirected to 443;
- Public port
443 is forwarded to a Symfony project;
- On the same machine, there is a local API server written in Rust, which is listening to
http://127.0.0.1:8030 (no SSL/TLS support);
- The local API is able to respond some sensitive data, like JWT authentication tokens;
https://example.com/api is a proxy to the local API server (ProxyPass and ProxyPassReverse,
see the Apache config below), in order to:
- expose the API to the final user with SSL/TLS support,
- and to be able to send XHR javascript requests to it, from the public Symfony website.
Note: I made this setup with a proxy for the local API because I had many troubles with CORS rules; but
this is not the subject of my question (I guess there are far, far better setups).
Question
Can this setup be considered as secure, or should it be a good point to add SSL/TLS support for the local API?
Apache configuration, a bit simplified
<VirtualHost *:80>
ServerName example.com
Redirect / https://example.com
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
DirectoryIndex /index.php
ProxyPass /api http://127.0.0.1:8030/
ProxyPassReverse /api http://127.0.0.1:8030/
SSLEngine on
SSLProtocol -ALL +TLSv1.2 +TLSv1.3
SSLCompression off
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
DocumentRoot /var/www/html/symfony_project/public
<Directory /var/www/html/symfony_project/public>
AllowOverride All
Require all granted
Allow from All
FallbackResource /index.php
</Directory>
ErrorLog /var/log/apache2/symfony_project_error.log
CustomLog /var/log/apache2/symfony_project_access.log combined
</VirtualHost>
